Around 10:24 AM most of the students at our school received this email from our IT administrator:

Subject: Scam email from your friends, classmates and teachers

Dear fellow students,

As you may already be aware, there is a scam email circulating around campus. So be careful.

This computer virus probably infected someone’s home computer (our school computer has anti-virus program installed and it can be infected as well, but less likely), grab the email contacts list off that computer together with some actual email in that computer, then start composing fake email with malicious link with authentic email subject heading that you have seen before. So, it looks like a real email from your friends. It is not easy to tell which email is real and which email is fake. My suggestion is that when you got a link from your friend/classmates email and you are not sure, contact them via phone/sms/wechat or just reply in the email and ask him/her to see if he/she sent the email to you.

For this particular incidents, if you accidentally clicked the link in the fake email, it will take you to a website and is most likely has foul content/virus/malwares. Most modern browsers will actually warned you before you can go any further. If you are one of those unfortunate ones that actually reached the site. I highly recommend you to perform a virus check immediately and change all your important passwords. Your identity could have been compromised.

We will continue to block them as they come by. So please let us know if you see this type of email in the future so that I can alert other people.

Good luck and exercise good judgements.

I managed to grab the infected email for myself for analysis from a friend who will remain anonymous (if you’re reading this thanks!) and took a look.

The contents of the email:

malware-email-contents

Now, clicking on the link (DO NOT do this if you were one of the email recipients) will take you to this page:

office-365-atp-screen

Huh, seems like Office 365 Advanced Threat Protection decided to be useful for once! But we want to proceed further. What is that link?

Going into Chrome DevTools, we see the full link:

chrome-devtools-full-link

Again, do NOT enter this link into your browser. But since I’m within the confines of a nicely sandboxed virtual machine, I can continue.

Going to the link yields a download… that is immediately quarantined by Chrome and Windows Security:

automatic-download-quarantine

So far so good! So what did Microsoft Defender see?

microsoft-defender

Great. So if you have an up-to-date Windows 10 installation and use Chrome as your browser, rest assured that they will take care of this file for you in case you accidentally download it, which is quite nice. But for those protections to work you need to make sure Windows Security is scanning your device in real-time and that your computer is connected to the Internet, so that Chrome can update its list of files and websites to avoid.

I was curious as to what Trojan:Win32/Vigorf.A was, so I checked Microsoft’s webpage on the virus definition. It’s a hacktool, commonly supplied with keygens and cracked software – another reason to not pirate software or download stuff from untrusted websites.

So what is this site where the malware is hosted? Is Paradise Creations LLC fake?

I took a look around the main website. It seems like an ordinary landscaping/irrigation company located in the US. Their website is running WordPress, which might be why they are hosting a malware .zip. It could be that they are simply unaware that their website is breached, or they might be the malicious party themselves and Paradise Creations LLC is just a front. Because of the latter scenario I decided not to send them an email warning them about the malware. Hopefully their registrar can contact them and get them to remove the malware link.

For that to happen, let’s report this site to the registrar. Going onto WHOIS, we can check for the domain information:

malicious-domain-whois

Great! There’s the abuse contact, so I sent them an email:

abuse-report

What can you do to protect yourself?

When you receive such an email, remember that most attachments come attached with the email itself, and not as a separate download link. If you see something like that then you should be extra-cautious when clicking on that link.

Additionally, on the email linked above we see that the email content looks pretty generic – “You should look at this” and then no sender information after the “Regards,” line. This is also pretty suspicious.

Also, this is a case where Office 365 Threat Protection actually becomes a hindrance – you cannot see the link URL when you hover over the hyperlink. I would be extremely skeptical if my friend or teacher sent me a URL that began with paradisecreationsllc dot com, but since Office 365 Threat Protection links begin with apc01.safelinks.protection.outlook.com, you don’t know where you will be redirected to. Maybe there should be a delay on the protection page where Microsoft shows you the URL before redirecting to the actual page, so that users can choose whether or not they want to visit said website.

Make sure that your operating system and browser is up to date, as they will most likely filter out these attacks before they could even be launched. If you think you have been infected and want to make sure, run an anti-virus scan. I recommend Malwarebytes since they have a high detection rate.

Finally, if you find yourself with such an email in your inbox, delete it immediately and report it to your network administrator. Or mark it as spam. On correctly configured Exchange networks and Office 365 directories, marking an email as spam will forward said email to the network admin so that he or she can figure out if the email is malicious or not.


Update – 2020-04-15 20:00

I got an email back from the abuse team over at Web.com. Turns out, I made a mistake1. Web is a registrar collective, and I need to actually contact the registrar in question in order to take action against the domain that is currently spreading the malware. Coincidentally, the registrar in question is Namecheap, which also has my domain on record (the blog you’re reading right now).

I’ve already reached out to Namecheap with a link to this post. I’ll post any updates I receive from them.

namecheap-abuse-report

Update – 2020-04-22 14:08

Namecheap hosting finally responded today:

Hello,

Thank you for the report.

We have investigated the issue and no malicious content has been detected at the moment.

Please provide us with further details, if any, so that we can investigate deeper.

Should you have further questions, let us know.


Regards, Oleg V. Legal & Abuse Department Namecheap Team

Ticket Details

Now, when I go to the malware URL, it leads to a blank page. So it seems like Paradise Creations LLC managed to patch up their WordPress installation and removed the malware. Either that, or the malware author is now distributing the malware from a different URL.


  1. Now that I look back at it, I realize the ICANN listing had the name NAMECHEAPHOSTING.COM in caps… really obvious in retrospect. D’oh!